Skip to main content

Security researchers bell alarm on a zero-day remote code execution vulnerability in Microsoft products. The group also said that the flaw is found to be actively exploited in the wild. The flaw that is tracked as CVE-2022-30190 is a zero-click RCE vulnerability in MSDT that allows attackers to run arbitrary code to install programs, view, change, delete data, or even create new accounts on the victim machines. All these aspects have made this flaw more concerned. It is important for all Windows users to know about this zero-click RCE vulnerability in MSDT and fix it as soon as possible. Let’s see how to fix CVE-2022-30190, a zero-click RCE vulnerability in MSDT, in this post.

About Microsoft Support Diagnostic Tool (MSDT):

Microsoft Support Diagnostics Tool, also known as Microsoft Automated Troubleshooting Services or MATS, is a Microsoft Windows tool designed to automatically collect Microsoft product problem information and assist Microsoft in diagnosing and resolving problems. MSDT helps Microsoft engineers troubleshoot problems with Microsoft products by collecting information about software and hardware configuration, settings, and usage.

Summary Of CVE-2022-30190:

This is a zero-click RCE vulnerability in MSDT. The flaw exists in ‘MSDT URL protocol’. Attackers can exploit this flaw just by calling MSDT using the URL protocol from a Microsoft Office application such as Word. Successful exploitation of this flaw allows attackers to run arbitrary code with the privileges of the calling application. The attacker can further use this vulnerability to install programs, view, change, delete data, or even create new accounts on the Windows machines. Huntress has published a detailed technical analysis of this flaw in its blog. Please go through it if you are querulous to know about the technical details.

To tell how it was a catch, on May 27th, 2022, a security research team known as Nao_sec found an old word doc file uploaded to VirusTotal from a Belarus IP. Upon investigating the Word doc file, the team found that it was a maldoc that uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code. Here is the tweet from Nao_sec.

Two days later, a cybersecurity researcher, Kevin Beaumont, who dubbed the flaw “Follina,” confirmed that EDR tools failed to detect the maldoc in his tweet.

Associated CVE IDCVE-2022-30190
DescriptionA Zero-Click RCE Vulnerability in MSDT
Associated ZDI ID
CVSS Score7.8 High
Impact Score
Exploitability Score
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)Required
Confidentiality (C)High
Integrity (I)High
availability (a)High

Products Vulnerable To Follina, CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT:

Researchers Kevin Beaumont wrote in his Medium post that he successfully tested the flaw on a Windows 10 machine with fully disabled macros and enabled Defender. This clearly shows that this flaw is exploitable on all versions of Windows and Office 365 using .RTF files.

Kevin also wrote that the flaw was successfully tested on Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365 products. Please see the tweet from Rich Warren that shows a working flaw on Windows 11 with Office Pro Plus.

In support of that, there is a video clip shared by Didier Stevens that clarifies the flaw can be exploited on a patched version of Microsoft Office 2021.PoC Created by Didier Stevens

How To Detect Your Windows Is Compromised To Follina Attack?

Well, it is not that difficult to determine if your machine is compromised by the Follina attack. If you see a child process of msdt.exe underneath the Microsoft Office process, then your machine could be compromised. Please refer to the technical analysis published by Huntress for more details.

How To Mitigate CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT?

Microsoft has acknowledged the vulnerability but has yet to release the package. Please track the status of the patches here.

Until there is a patch, you can apply these mitigation techniques to minimize the attack surface.

Block all Office applications from creating child processes on EDR/EndPoint tools. This prevents the creation of msdt.exe as a child process and blocks the exploitation. If your leadership team has concerns about implementing this block, then run the rule in Audit mode for a week or so. Once there is no impact seen, push the rule for production.

Prevent the malware execution by removin#” target=”_blank” rel=”noreferrer noopener”>HKCR:ms-msdt registry as shone in the tweet.

FYI:— Didier Stevens (@DidierStevens) May 29, 2022

How to Mitigate CVE-2022-30190 by disabling the MSDT URL Protocol

  1. Run Command Prompt as AdministratorType ‘command’ in the Search box. Right Click on it, Select Run as administrator

    Run Command Prompt as Administrator
  2. Take back up the registry keyEnter the command to take the backup of the registry key.
    > reg export HKEY_CLASSES_ROOTms-msdt filename

    Take back up the registry key
  3. Delete the HKCR:ms-msdt registry keyIssue this command to delete the HKCR:ms-msdt registry.
    > reg delete HKEY_CLASSES_ROOTms-msdt /f

    Delete the HKCR_ms-msdt registry key
  4. Revert the workaround by restoring the registry key from backupIf in case you want to revert the changes, then you just need to restore the registry key from the backup. Run this command to do this.
    > reg import filename

    Revert the workaround by restoring the registry key from backup

This is how you can fix CVE-2022-30190- A Zero-Click RCE Vulnerability in MSDT.

Leave a Reply